IBM Security MaaS360

 View Only
  • 1.  NFC/QR code programming

    Posted Wed July 31, 2019 12:30 PM
    Hello...I'm hoping someone might be able to shed some light on this. Using a qr code appears to be fully supported, but I am having some trouble getting all of the pieces to come together under one enrollment.  I would like to basically have the zero-touch configuration part put into a custom qr code, but there appears to be some requirements that are missing or wrong.  

    Does anyone happen to have already broken this down?

    {
    "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"enrollment_corp_id":"30111350","disallow_enrollment_skipping":true,"enrollment_account_type":"deviceAccount",
    "prompt_for_device_name":false,"enrollment_domain":"*********.com",
    "enrollment_username":"*******.user@********.com",
    "enrollment_email":"******.maas@gmail.com",
    "enrollment_password":"**********!",
    "enrollment_ownership":"Corporate Owned"}

    ------------------------------
    Spectralink User
    ------------------------------


  • 2.  RE: NFC/QR code programming

    Posted Wed July 31, 2019 12:41 PM
    Hello - can you please describe where in the process you are hitting errors/roadblocks and, if there is any messaging accompanying the error, what results you are getting

    ------------------------------
    Matt Shaver
    System Architect
    IBM
    mshaver@us.ibm.com
    ------------------------------



  • 3.  RE: NFC/QR code programming

    Posted Wed July 31, 2019 01:56 PM

    Thanks for the response.

    I'm running into numerous issues, but if I can solve any of them, I would consider it a win. 

    I can get the Accept & Continue button to enroll a device, and it will continue for a few seconds, then it will say something like 'Does not contain corporate information.'  Now, I grabbed this code from the 'ztp' area, so its not like I'm just making this stuff up.  I did, however, notice that it encrypted the responses though, so I wasn't sure if that was a requirement if creating your own QR code.  

    Ultimately, I would like to know which commands are needed to get through an enrollment without needing to go back and actually put in the users creds.  

    So...for that, from what I can read on the support site, the above code should force the device to at least see an enrollment, but it normally does not even get that far.  

    When using an nfc card or push app, I can send most of the other commands to get a device enrolled, but this seems to always hit a snag when getting to the user/server information.   Could it be the server_id variable is wrong and needs to be something like sid?  


    So, I've seen, the QR code does not contain company information (totally crazy error that is obviously not correct), but I can past that when using corporate networks that use some form of authentication, but not to automatically connect to the server.  

    It looks like Knox and ztp are trying to use qr codes as opposed to nfc, which is fine, and should be easy to customize.  What is puzzling is that it is not.  

    So, I guess a real way to answer this, would just be to include the different application calls required for enrollment, as it looks like the device_component_admin and device_component_checksum are either customized, or different than normal enrollments.  The com.android.managedprovisioning should need basic calls to enroll, but since it does not appear to like them, I am asking for your help.  

    Thanks...



    ------------------------------
    Spectralink User
    ------------------------------



  • 4.  RE: NFC/QR code programming

    Posted Wed July 31, 2019 02:33 PM

    I think I follow - but correct me if I am wrong - you are generating user enrollment JSON info in the zero touch area and then using that to create a custom QR?

    We do have direct QR code creation in the portal - have you attempted that?  Head to Devices-->Enrollments-->Other Enrollment Options-->QR Code for DO provisioning.  There are 2 tabs - 1 is for wifi, but the other is for user credentials - similar to the zero touch setup fields.  Using this QR code generator should complete the enrollment as expected.

    The other thing I'll mention is that pre-configuring the app requires that the fields all be filled out.  If one of them is blank, it can cause an error as the app will see incomplete enrollment data.



    ------------------------------
    Matt Shaver
    System Architect
    IBM
    mshaver@us.ibm.com
    ------------------------------



  • 5.  RE: NFC/QR code programming

    Posted Wed July 31, 2019 03:19 PM
    Thanks Matt.  Maybe you could answer a different question for me that hopefully will let me get past the part causing issues.  But to answer your question, yes...using the enrollment wizard you mentioned is ok for one or two...not 100s of devices.  

    Can you list the required items?  

    The wifi isn't required, right?  So it would just be the server or org group, the email, user, and password.  

    Or is the source and checksum required?  I thought I was able to get past those, but maybe I'm not remembering correctly or it just did not specifically cause an error when it hit that part of the code.    

    Ultimately, I need to get a smooth enrollment going where I don't have to touch the device...using the current QR or nfc, I still need to touch devices.  

    There is one item I have not tried, and I'm wondering if it might solve any of the other issues.  Does loading the serial number in the console register the device with the EMM like it would if it were using ztp?  

    Thanks again...

    ------------------------------
    Spectralink User
    ------------------------------